Re: [http-auth] REST-GSS I-D posted

Nico Williams <nico@cryptonector.com> Wed, 08 June 2011 15:18 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=xwESeUwxvsE++DUeV1HYbm5/WzTKCM5aEkdUt3yqxStO v3077Bw40V/lS3GfLpmCPKBDFj5IRQ0x53aE9/kbkOFZ5I1cpcFf2g/JJi819Aql W6bafcYFPgWYgtQq6Jb5/fzaKRm4eblxQFgeqIvN6VfceuCM/Wjh2B39QzLU64c=
MIME-Version: 1.0
In-Reply-To: <BANLkTikKts6YfAXqcWnD+689wv5iW3M5Cw@mail.gmail.com>
References: <BANLkTimAw-HG9xVzumzbBKhW+H7WGB8+DA@mail.gmail.com> <BANLkTikKts6YfAXqcWnD+689wv5iW3M5Cw@mail.gmail.com>
Date: Wed, 08 Jun 2011 10:17:06 -0500
Message-ID: <BANLkTimhDbPGNOBLS3H6ajeLEObi4pE6zQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "KIHARA, Boku" <bkihara.l@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: http-auth@ietf.org
Subject: Re: [http-auth] REST-GSS I-D posted
Precedence: list

On Wed, Jun 8, 2011 at 3:59 AM, KIHARA, Boku <bkihara.l@gmail.com> wrote:
>> 2.9.  Server Indication of Authentication Requirement
>>
>>    When the server wishes to indicate that the client must authenticate
>>    in order to access a given resource, then the server MUST respond to
>>    the client's HTTP request with either a redirection to a web page
>>    with a 303 redirect to a login page (this in the case of browser
>>    applications) or a TBD 4xx error indicating that access requires
>>    REST-GSS login and, optionally directing the client to the REST-GSS
>>    login URI by listing that URI in a response header field named 'REST-
>>    GSS-Authenticate'.
>>
>
> I'm not sure whether the 'REST-GSS-Authenticate' field is allowed for
> only 4xx responses or both 303 and 4xx responses.

Only for 4xx responses.  But I'm thinking I don't want to add any new
4xx codes, so I think we might want to do the 303 thing in all cases,
with non-browser apps having to recognize that the URI being
redirected to is the REST-GSS login URI.

>> 3.1. Server Decides When to Authenticate
>>       C->S: HTTP/1.1 GET /some/resource
>>             Host: A.example
>>
>>       S->C: HTTP/1.1 303 http://A.example/login.html&<encoded-URI>
>>
>>               Authentication required indication browser apps
>
> Is the URI 'http://A.example/login.html&<encoded-URI>' intended for
> the 'Location' field?

Ooops, yes.

> What is the clinging '<encoded-URI>'? If it is the REST-GSS login
> URI, what is the purpose of this URI here? I think browsers cannot
> (or should not) detect the REST-GSS login URI because it is merely a
> part of the redirection URI, and servers do not need the '<encoded-URI>'
> because they already know the REST-GSS login URI.

The idea was to make sure the browser could be redirected back to the
original resource when login completes.

Browsers would be redirected to a login page where there will be a
button that causes the browser to initiate and complete REST-GSS
login.  I'd like the end result to be that the user ends up on the
page that had required authentication.

>>       C->S: HTTP/1.1 GET /some/resource
>>             Host: A.example
>>
>>       S->C: HTTP/1.1 4xx
>>             REST-GSS-URI: http://A.example/rest-gss-login
>>
>>           Authentication required indication for non-browser apps
>
> In this example, the 4xx response has the filed have a field named
> 'REST-GSS-URI', which is different from 'REST-GSS-Authenticate'
> mentioned in 2.9. So which is correct or am I referring different
> things?

Ah, that's just me going too fast.  I'll fix that.  Good catch!

> Sorry for my poor English and small amount of comments, but I hope these help.

Your English is fine.  Thanks for your comments!

Nico
--

[http-auth] REST-GSS I-D posted Nico Williams
Re: [http-auth] REST-GSS I-D posted KIHARA, Boku
Re: [http-auth] REST-GSS I-D posted Nico Williams